List Info

Thread: Re: Bacula File/Storage Connection Woes using PF
Re: Bacula File/Storage Connection Woes using PF
country flaguser name
United Kingdom		 2008-03-25 04:21:32 
Doug Sampson wrote:
>> On Friday 21 March 2008 21:59:46 Doug Sampson
wrote:
>>     
>>> I want to back up a client running packet
filter. I am 
>>>       
>> using Bacula to
>>     
>>> backup this client to a Bacula server in the
internal network. The
>>> Bacula client has two interfaces- one external
and one internal. The
>>> client's internal IF is 192.168.1.25. The
Bacula server is at
>>> 192.168.1.17.
>>>
>>> When I attempt to contact the Bacula file
daemon on the client, it
>>> responds by sending packets to the Bacula
server daemon at 
>>>       
>> a different
>>     
>>> port. It should contact the storage daemon at
port 9103 but 
>>>       
>> instead it
>>     
>>> attempts to contact the storage daemon at a
port address that is not
>>> 9103. Thus the backup job fails.
>>>
>>> I've tried rdr to no avail. Here's my pf.conf:
>>>
>>> mailfilter/usr/local/etc# pfctl -vvnf /etc/pf.conf
>>>       
>> use "pfctl -vvsr" instead of -nf to make
sure you really get 
>> the rules 
>> that are loaded and not those that you wanted to
load.
>>
>>     
>
> mailfilter-root/usr/local/etc# pfctl -vvsr
> No ALTQ support in kernel
> ALTQ related functions disabled
> 0 scrub in all fragment reassemble
>   [ Evaluations: 18953753  Packets: 9488185   Bytes: 0 
         States: 0
> ]
> 0 block drop in log all
>   [ Evaluations: 125309    Packets: 710       Bytes:
107361      States: 0
> ]
> 1 pass in log inet proto tcp from any to
xxx.xxx.xxx.xxx port = smtp flags
> S/SA synproxy state
>   [ Evaluations: 61682     Packets: 333       Bytes:
141046      States: 0
> ]
> 2 pass out log inet proto tcp from xxx.xxx.xxx.xxx to
any port = smtp flags
> S/SA synproxy state
>   [ Evaluations: 92705     Packets: 0         Bytes: 0 
         States: 0
> ]
> 3 pass in log inet proto tcp from 192.168.1.0/24 to
192.168.1.25 port =
> smtp flags S/SA synproxy state
>   [ Evaluations: 78929     Packets: 0         Bytes: 0 
         States: 0
> ]
> 4 pass in log quick on xl0 inet proto tcp from any to
192.168.1.25 port =
> ssh flags S/SA synproxy state
>   [ Evaluations: 29478     Packets: 0         Bytes: 0 
         States: 0
> ]
> 5 block drop in log quick on rl0 inet from
127.0.0.0/8 to any
>   [ Evaluations: 75458     Packets: 0         Bytes: 0 
         States: 0
> ]
> 6 block drop in log quick on rl0 inet from
192.168.0.0/16 to any
>   [ Evaluations: 670       Packets: 0         Bytes: 0 
         States: 0
> ]
> 7 block drop in log quick on rl0 inet from
172.16.0.0/12 to any
>   [ Evaluations: 670       Packets: 0         Bytes: 0 
         States: 0
> ]
> 8 block drop in log quick on rl0 inet from 10.0.0.0/8
to any
>   [ Evaluations: 670       Packets: 0         Bytes: 0 
         States: 0
> ]
> 9 block drop out log quick on rl0 inet from any to
127.0.0.0/8
>   [ Evaluations: 62532     Packets: 0         Bytes: 0 
         States: 0
> ]
> 10 block drop out log quick on rl0 inet from any to
192.168.0.0/16
>   [ Evaluations: 12557     Packets: 0         Bytes: 0 
         States: 0
> ]
> 11 block drop out log quick on rl0 inet from any to
172.16.0.0/12
>   [ Evaluations: 12557     Packets: 0         Bytes: 0 
         States: 0
> ]
> 12 block drop out log quick on rl0 inet from any to
10.0.0.0/8
>   [ Evaluations: 12557     Packets: 0         Bytes: 0 
         States: 0
> ]
> 13 block drop in log quick on ! xl0 inet from
192.168.1.0/24 to any
>   [ Evaluations: 125309    Packets: 0         Bytes: 0 
         States: 0
> ]
> 14 block drop in log quick inet from 192.168.1.25 to
any
>   [ Evaluations: 112752    Packets: 0         Bytes: 0 
         States: 0
> ]
> 15 pass in on xl0 inet from 192.168.1.0/24 to any
>   [ Evaluations: 61682     Packets: 60947     Bytes:
17390149    States: 0
> ]
> 16 pass out log on xl0 inet from any to
192.168.1.0/24
>   [ Evaluations: 124639    Packets: 51070     Bytes:
43963111    States: 0
> ]
> 17 pass out log quick on xl0 inet from any to
10.8.0.0/24
>   [ Evaluations: 51070     Packets: 0         Bytes: 0 
         States: 0
> ]
> 18 pass out on rl0 proto tcp all flags S/SA modulate
state
>   [ Evaluations: 64297     Packets: 53895     Bytes:
42581384    States: 4
> ]
> 19 pass out on rl0 proto udp all keep state
>   [ Evaluations: 12557     Packets: 23586     Bytes:
1793665     States: 0
> ]
> 20 pass out on rl0 proto icmp all keep state
>   [ Evaluations: 12557     Packets: 0         Bytes: 0 
         States: 0
> ]
> 21 pass in on rl0 inet proto tcp from any to
192.168.1.4 port = http flags
> S/SA synproxy state
>   [ Evaluations: 74239     Packets: 0         Bytes: 0 
         States: 0
> ]
> 22 pass in on xl0 inet proto tcp from any to
192.168.1.25 port = ssh keep
> state
>   [ Evaluations: 112420    Packets: 0         Bytes: 0 
         States: 0
> ]
> mailfilter-root/usr/local/etc#
>
> According to the output of "pfctl -vvsr", the
packets are being allowed back
> into the internal network which is what I want
(according to rule #16).
>   
That's part of the problem.....


> Is there another way of writing rules that will enable
the Bacula client to
> pass packets to the correct port number?
>   
Yes, make the 1st rule

    block log all

to drop both ingress and egress traffic by default.

Secondly get rid of the stateless rules. Use keep state
everywhere, with 
flags S/SA if matching tcp traffic.


Regards

Greg




_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )